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@ A method of controlling the use of securely 
transmitted information in a network of stations in 
which each potentially cooperating station includes a 
cryptographic facility which securely stores a master 
key and in which, for each transmission between a 
pair of stations, a cryptographic key result is pro- 
vided for each station of the pair by a generating 
station which is either one of tiie pair or a station 
external to tiie pair under a cryptographic protocol 
common to tine network, the cryptographic key re- 
sults for tiie ti-ansmission having a random compo- 
nent notionally particular to the fransmission, a mas- 
ter key variant component characteristic of tiie pro- 
tocol and a target station component either particular 
to the stations individually or as a pair, wherein, in 
response to a generating command invoked in the 
generating station for establishing a controlled use 
secure transmission between a designated pair of 
stations, tiie generating station generates the cryp- 
tographic key result for each designated station, 
accesses tiie control value common to tiie system 



for tiie permitted operation for each of ttie stations 
for the particular transmission, combines the control 
value witii the common key result or each individual 
key result and causes tiie appropriate combined key 
result to be established in each station of the pair for 
tiie transmission, and wherein the cryptographic fa- 
cility in each station is arranged, when an operating 
command is invoked to perform a designated opera- 
tion with respect to such securely transmitted in- 
formation, to automaticaiiy abort such operation un- 
less it matches the control value. 
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CONTROLUNG THE USE OF CRYPTOGRAPHIC KEYS VIA GENERATING STATION ESTABUSHED CON- 
TROL VALUES 



The present invention relates to controlling the 
use of cryptographic keys via generating station 
established control values. It is noted that generat- 
ing station may also be a using station. 

Cryptography is the only known practical 
means for protecting Information transmitted 
through a large communications network, be it tele- 
phone line, microwave, or satellite. A detailed dis- 
cussion of how cryptography can be used to 
achieve communications security is provided in tiie 
book by Carl H. Meyer and and Stephen M. 
Matyas entitled Cryptography: A New Dimension in 
Computer Data Security . John Wiley & Sons 
(1982). Cryptography can also be used to achieve 
file security, and a protocol is developed in tiie 
Meyer and Matyas book for the encryption of data 
stored in removable media. Other subjects dis- 
cussed in the book are enhanced authentication 
protocols, including personal verification, message 
authentication, and digital signatures. These sub- 
jects are of particular interest to those concerned 
with electronic funds transfer and credit card ap- 
plications within the banking and finance industry, 
or any otiier area where tiie originator, timeliness, 
contents, and intended receiver of a message must 
be verified. 

In the prior art, several references respectively 
illustrate protocols for distributing cryptographic 
keys among cryptographically communicating 
nodes. Further, tiiey discuss authentication as a 
process independent of the establishment of ses- 
sion keys. These references include U.S. patent 
No. 4,227.253 to Ehrsam et al. entitied 
"Cryptographic Communication Security for Mul- 
tiple Domain Networks" issued October 7. 1980. 
and U.S. Patent No. 4.218,738 to Matyas et al. 
entitied "Method for Authenticating the Identity of a 
User of an Information System" issued August 19, 
1980. The Matyas et al. patent involves a node 
sending a pattern to a terminal requiring the termi- 
nal to modify \he pattern and remit its modification 
back to tiie host to permit a comparison match. 

Ehrsam et al.. U.S. Patent No. 4.227.253. de- 
scribe a communication security system providing 
for the establishment of a session key and the 
concept of cross-domain keys. The Ehrsham et al. 
patent typifies a mechanism, i.e., the use of cross- 
domain keys, used for exchanging session key 
information between nodes on the one hand the 
protecting tiie secrecy of the node master keys on 
the other hand. More specifically, Ehrsam et al. 
describe a cryptographic facility at a host computer 
which, among other things, has a master key KMO 
with first and second variants of the master key. 



denoted KM1 and KM2, and cryptographic oper- 
ations in support of cryptographic applications and 
key management, denoted ECPH, OCPH, RFMK. 
and RTMK. Variants of the master key are obtained 

5 by inverting designated bits in the master key to 
produce different keys, which is just equivalent to 
Exclusive-ORing predetermined mask values with 
tine master key to produce tiie variant master keys. 
The neumonics ECPH, DCPH, RFMK, and RTMK 

10 represent tiie cryptographic operations for Encipher 
Data. Decipher Data, Reencipher From Master Kay, 
and Reencipher To Master Key. A precise defini- 
tion of these cryptographic operations is unimpor- 
tant to the present disclosure; however, the method 

75 is such that keys encrypted under KMO can be 
used beneficially with tiie ECPH and DCPH func- 
tions, keys encrypted under KM1 can be used with 
the RFMK function, and keys encrypted under KM2 
can be used with the RTMK function, but not vice 

20 versa. If VO, V1 and V2 denote the mask values 
which when Exclusive-ORed with KM produce KMO, 
KM1 and KM2, respectively, then there is an impli^ 
cit control by tiie mask values of which encryptog- 
raphic keys may be beneficially used by which of 

25 these cryptographic functions. Although Ehrsam et 
al. uses variants to control the use of cryptographic 
keys, by coupling tiie variants to the cryptographic 
operations, there is a one-to-one equivalence be- 
tween the cryptographic operations and the pre- 

30 scribed variants of tiie key parameters allowed with 
each cryptographic operation. The Ehrsam et al. 
architecture does not allow different combinations 
of variants of keys to be used witii each cryp- 
tographic function. Thus, for example, if ECPH and 

35 DCPH are supported and it is desired to implement 
data keys with properties of Encipher Only, De- 
cipher Only, and Encipher/Decipher using variants 
VI. V2 and V3, there is no way to assign ttiese 
variants to ttie ECPH and DCPH operations to 

40 implement tiie desired data key properties, i.e., 
there are not enough variants defined for these 
operations to accomplish the purpose. In effect, to 
design such a system requires an ECPH1 which 
operates with VI, an ECPH2 which operates with 

45 V3. a DCPH1 which operates witii V2, and a 
DCPHSf which operates wiUi V4. Therefore, the use 
of variants to control the use of a cryptographic key 
in a sophisticated architecture would require the 
function set to be expanded, and tiiis expansion in 

50 the function set has disadvantages the most impor- 
tant of which are tiie increase' of system complexity 
and cost 

U.S. Patent No. 4.386.233 to Smid et al. en- 
titied "Cryptographic Key Notarization Metiiods and 
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Apparatus" issued May 31, 1983. describes a tech- 
nique of notarizing cryptographic keys for a cryp- 
tographic function by encrypting the keys with the 
cryptographic function using a notarizing crypto- 
graphic key derived from identifier designations 
associated with the encryptor and intended decryp- 
tor, respectively, and an interchange key which is 
accessible only to authorized users of the cryp- 
tographic function. In other words, Smid et al. con- 
trol who can use a key but not how the key can be 
used. Smid et ai's notarizing key is derived by 
concatenating the binary equivalent of the encryp- 
tor's identifier designation with the binary equiv- 
alent of the decryptor's identifier designation as an 
ordered pair and logically combining in an 
Exclusive-OR operation the concatenated result 
with the interchange key. 

U.S. Patent No. 4.503,287 to Morris et al. en- 
titled "Two-Tiered Communication Security Em- 
ploying Asymmetric Session Keys" issued March 
5, 1985, describes a technique for ensuring com- 
munications security between a host computer and 
another remote computer or terminal by means of 
a two-tiered cryptographic communications security 
device and procedure. The Monis et al. technique 
employs two session keys, one which is encrypted 
under a master key and transmitted from a remote 
facility to the host where it is stored, and one which 
is generated at the host encrypted under the mas- 
ter key and transmitted to the remote facility where 
it is used as a session decryptor key. 

Thus, while the prior art provides various pro- 
tocols for distributing cryptographic keys among 
cryptographically communicating nodes and even 
provides a way of controlling who may use a cryp- 
tographic key at a particular node, there has not 
been a practical and effective solution to the prob- 
lem of how to the control the use of tiie cryp- 
. tographtc key at a node, particularly in a sophisti- 
cated system. Frequently, different types of keys 
must be distributed to certain system nodes. 

The present invention provides a method of 
controlling the use of securely transmitted informa- 
tion in a network of stations in which each poten- 
tially cooperating station includes a cryptographic 
facility which securely stores a master key and in 
which, for each transmission between a pair of 
station, a cryptographic key result is provided for 
each station of tiie pair by a generating station 
which is eitiier one of the pair or a station external 
to the pair under a cryptographic protocol common 
to tfie network, tiie cryptographic key results for 
the transmission having a random component no- 
tionally particular to the transmission, a master key 
variant component characteristic of tiie protocol 
and a target station component eittier particular to 
Uie stations individually or as a pair, wherein, in 
response to a generating command invoked in tiie 



generating station for establishing a controlled use 
secure transmission between a designated pair of 
stations, the generating station generates the cryp- 
tographic key result for each designated station, 

5 accesses the contix)i value common to the system 
for tiie permitted operation for each of the stations 
for tiie particular transmission, combines the con- 
trol value with the common key result or each 
individual key result and causes the appropriate 

10 combined key result to be established in each 
station of the pair for ttie transmission, and wherein 
the cryptographic facility in each station is ar- 
ranged, when an operating command is invoked to 
perform a designated operation with respect to 

75 such securely transmitted information, to automati- 
cally abort such operation unless it matches the 
control value. 

As disclosed herein after, cryptographic tech- 
niques according to tiie present invention are prac- 

20 ticed in a communications network having a plural- 
ity of stations, each of which has a cryptographic 
facility which performs cryptographic operations in 
support of the network encryption function. Such a 
network can be. for example, an electi^onic funds 

25 transfer (EFT) or point of sale (POS) network and, 
in any case, would include at least one generating 
station and at least two using stations. The cryp- 
tographic facility at each station in the network has 
a Key Generation Function (KGF) and a Key Usage 

30 Function (KUF). Each key generated by a KGF has 
an associated control value C which prescribes 
how tiie key may be used, and tfie KUF provides a 
key authorization function to ensure tiiat a request- 
ed usage of a key complies with ttie control value 

35 C. 

Two metiiods may be employed to implement 
the technique whereby a generating station in a 
communications network confe-ols tiie use of a 
cryptographic key. In ttie first metiiod, each key 

40 and control value are authenticated via a special 
authentication code before use. In the second 
method, tiie key and tiie control value are coupled 
during key generation such tiiat tiie key is recov- 
ered only if ttie correct control value is specified. 

45 In addition to controlling tiie use of a cryp- 
tographic key. tiie generating station control which 
generating stations may use a generated and dis- 
tributed cryptographic key. Two methods are em- 
ployed to additionally control who may use a cryp- 

50 tographic key. In ttie first method, each using sta- 
tion has a unique secret transport key shared with 
a generating station, which tiie generating station 
uses to disti-ibute generated data keys to the using 
stations. Keys are generated by the generating 

55 station in such a way ttiat ttiey can be recovered or 
regenerated only by ttie designated using stations 
possessing- ttie correct, designated, secret trans- 
port keys. In the second method, each using sta- 
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tion has a unique nonsecret value associated with it 
and each pair of using stations share a common, 
secret transport key with each other and also with 
the generating station. Keys are generated by the 
generating station such that they are recovered or 
regenerated only by the designated using stations 
possessing the correct, designated, secret trans- 
port key. However, since the transport key is 
shared among two using stations, further cryp- 
tographic separation is achieved by using the men- 
tioned public values associated witii each using 
station. Thus, tfie key generation and recovery pro- 
cedure is such that the keys distributed to each 
using station can be recovered or regenerated only 
by tiie appropriate using stations possessing the 
correct designated, public values. In effect, the 
transport key ensures that keys prepared for using 
station i and j cannot be recovered or regenerated 
at some other using station k, whereas the public 
values ensure that a key prepared for using station 
i cannot be recovered or regenerated at using 
station j. or vice versa. 

In summary, four specific cases are described. 
In ttie first case, key authentication is used and 
cryptographic separation is achieved via different, 
secret transport keys. In the second case, key 
authentication is used and cryptographic separation 
is achieved via different public values associated 
with each using station and via a common, secret 
transport key. In the third case, no authentication 
key is used and cryptographic separation is 
achieved via different, secret transport keys. In the 
fourth case, no key authentication is used and 
cryptographic separation is achieved via different 
public values associated witii each using station 
and via a common, secret transport key. 

A control value specifying the usage of a key 
can be implemented witii integrity in three ways: 

1. Via autiientication codes. The key and 
control value are distributed separately but are 
coupled via the autiientication code. 

2. Via a key disti-ibution function tiiat com- 
bines the key with tiie control value and a secret 
transport key. Separation is achieved by using dif- 
ferent secret transport keys for different using sta- 
tions. 

3. Via a key distribution function tfiat com- 
bines tiie key witii the conti'o! value, a unique 
public value associated with \he receiving station, 
and a secret transport key. The transport key is the 
same for each receiving using station. Separation is 
achieved via the public value, which is different for 
each different receiving using station. 

The present invention is based on the recogni- 
tion tiiat additional security benefits could be 
achieved via a key distribution method where each 
key had an associated control value that governed 
how tine key would be used by a using station. The 



way is provided to couple tiie key and tiie control 
value in a cryptographically secure way to provide 
a convenient easy and flexible method of im- 
plementing the concept so tiiat keys can be gen- 

5 erated at a generating station and distributed to two 
or more using stations where tiiey can be used in 
cryptographic operations for cryptographic pro- 
cessing purposes. 

An authentication code can be calculated using 

10 a secret key which is part of tiie data being autiien- 
ticated, whereas in part of tiie prior art tiie mes- 
sage authentication key and the data being authen- 
ticated are decoupled. With message authentica- 
tion, tiie secret key is used repeatedly to autiien- 

75 ticate messages sent from one part to another who 
share the authentication key, whereas the secret 
key, as used in this invention, is used just once to 
authenticate the key itself, the control value, and 
possible otiier nonsecret data associated with tiie 

20 key. 

Ehrsam et al, cited above, provides crypto- 
graphic separation via two different cross domain 
keys (or transport keys) for the purpose of distrib- 
uting a secret dynamically generated key to two 

25 using stations. As mentioned above, the variants 
employed by Ehrsam et al. provide an implicit 
control of the beneficial uses to which cryptograph- 
ic keys may be applied; however, the use of vari- 
ants severely limit the functions which may be 

30 supported- The method according to the present 
invention of using control values to control the use 
of cryptographic keys avoids the problems asso- 
ciated with variants since each bit in tiie control 
value can be associated with a different crypto- 

35 graphic operation. Thus, if there are 32 crypto- 
graphic operations, tiien a control value of 32 bits 
or less will cover all possible combinations, where- 
as with variants tiiis would require potentially 2^ 
different cryptographic operations to allow for all 

40 combinations. The invention achieves an obvious 
economy of scale with the control value over the 
Ehrsam et al. method based on variants. 

Combining a key and a key variant mask with a 
secret transport key is a concept described, for 

45 example, in copending U.S. Application Serial No. 
722.091 filed April 11, 1985, by Walter Ernst Bass 
et al. for "A Metiiod for Establishing User Autiien- 
tication with Composite Session Keys Among Cryp- 
tographically Communicating Nodes". In tiiat ap- 

50 plication, the variant of a single cross domain key 
is used to achieve unidirectionality between two 
receiving stations, so that reply attacks are tiiwart- 
ed. The unidirectionality feature precludes attacks 
where certain quantities sent from one point to 

55 another as part of establishing a session key can- 
not beneficially be replayed back to tiie originating 
point The variant mask associated with the cross 
domain key, in this case, is not a control value as 
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used in this invention; i.e.. it does not specify tine 
usage of the key. 

The use of a key distribution function as de- 
scribed in the patent to Smid et a!., cited above, 
describes combining a key to be distributed with 
the IDs of the sending and receiving nodes and 
with a secret interchange key. This controls who 
can use a cryptographic key but does not control 
how the cryptographic key is to be used. The 
control value which is used in the present inven- 
tion, while similar to the concatenation of the send- 
ing and receiving IDs as used by Smid et al, is for 
a wholly different purpose. 

The present invention will be described further 
by way of example with reference to embodiments 
thereof as illustrated in the accompanying draw- 
ings. In which: 

Rgure 1 is a block diagram illustrating a 
communication system consisting of a multiplicity 
of communicating stations connected via a PTT 
(Post Telephone and Telegraph) interconnect net- 
work; 

Rgure 2 is a block diagram showing a cryp- 
tographic facility capable of encryption/decryption 
via the Data Encryption Algorithm (DEA); 

Rgure 3 is a block diagram showing tiiree 
stations in the network configuration of Rgure 1 
including a generating station and two using sta- 
tions; 

Rgure 4 is a block diagram illustrating tiie 
functional relationship between function fi and gi ; 

Rgure 6 is a block diagram showing the 
functional relationship between tiie functions fa and 
93: 

Rgure 7 is a block diagram of the function 

Rgure 8 is a block diagram showing the 
functional relationship between the functions fs and 
95 ; 

Figure 9 is a block diagram showing the 
functional relationship between the functions fs and 
96; 

Rgure 10 is a block diagram of a first em- 
bodiment of a generating station wherein a first and 
second form of a key K are generated via a first 
function fi and a first and second key authentica- 
tion code are generated via a second function fa; 

Rgure 11 is a block diagram showing one 
example of an embodiment for function fi ; 

Rgure 12 is a block diagram showing one 
example of an embodiment for function fa; 

Rgure 13 is a block diagram showing a 
second embodiment of a generating station 
wherein a first and second form of a key K are 
generated via a third function h and a first and 
second key authentication code are generated via a 
fourth function ga related to function fa and a fourth 
function f*; 



Rgure 14 is a block diagram of one example 
of an embodiment of the functions fa and ga; 

Rgure 15 is a block diagram of another 
example of an embodiment of tiie functions fa and 
5 ga; 

Rgure 16 is a block diagram of one example 
of an embodiment of tiie function f*; 

Rgure 17 is a block diagram of another 
example of an embodiment of the function f*; 
10 Rgure 18 is a block diagram showing a first 

embodiment of a using station related to the first 
embodiment of a generating station shown in Rg- 
ure 10 wherein tiie received key K is recovered via 
a function gi. which is related to tfie function fi. 
75 and wherein tiie received key authentication code 
' is authenticated via the function fa; 

Rgure 19 is a block diagram showing a 
second embodiment of a using station related to 
tiie second embodiment of ttie generating station 
20 shown in Rgure 13 wherein ttie received key K is 
recovered via a function ga. which is related to 
function fa. and wherein the received key autiien- 
tication code is autiienticated via tiie function fi; 
Rgure 20 is a block diagram of a tiiird 
25 embodiment of a generating st^on wherein a first 
and second form of a key K are generated via a 
fiftii function fs; 

Rgure 21 is a block diagram of a fourti^ 
embodiment of a generating station wherein a fir$t 
30 and second form of a key K are generated via a 
sixth function fs; 

Rgure 22 is a block diagram of an example 
of an embodiment of function fs and a related 
function* gs; 

35 Rgure 23 is a block diagram of an example 

of an embodiment of function fs and a related 
function gs; 

Rgure 24 is a block diagram of a tiiird 
embodiment of a using station related to the tiiird 

40 embodiment of the generating station shown in 
Rgure 20 wherein tiie received key K is recovered 
via function gs. which is related to function fs; 

Rgure 25 is a block diagram of a fourth 
embodiment of a using station related to ttie fourtii 

45 embodiment of tiie generating station shown in 
Rgure 21 wherein tiie received key K is recovered 
via function gs, which is related to ftjnction fs; and 

Rgure 26 is a graphical representation of 
one possible control vector which may be used. 

50 Referring now to the drawings, and more par- 
ticularly to Rgure 1, a network is shown in which 
the stations (computers controllers, terminals, and 
the like) are connected via a PTT (Post, Telephone 
and Telegraph) interconnect network. Each such 

55 station has an encryption/decryption feature ca- 
pable of end-to-end encryption with any other sta- 
tion in the network. The network referred to here 
might be an electronic funds transfer (EFT) or point 
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of sales (POS) network. 

Each such station has a cryptographic facility 
which performs cryptographic operations in support 
of the network encryption function, such that any 
station with an implemented cryptographic facility 
is capable of end-to-end encryption with any other 
station in the network. The network message for- 
mats and protocols necessary to support such 
cryptographic communication, including those mes- 
sages necessary to support cryptographic keys 
and key management functions are not shown here 
as such messages and protocols are known in the 
prior art 

Referring now to Rgure 2, there is shown a 
cryptographic facility 10 containing a chip imple- 
mentation of the Data Encryption Algorithm (DEA) 
11, a hardware random number generator 12, a 
microprocessor 13, a battery 14. a battery-backed 
random access memory (RAM) 15 for storage of 
keys and other cryptographic variables, and a 
memory 16 for storage of system microcode and 
program code. Keys and cryptographic variables 
are loaded into the cryptographic facility via a key 
entry interface 17 and routed to memory 15 via a 
secure direct path 18. The cryptographic facility 
can be accessed logically only through inviolate 
processor interface 19, which is secure against 
intrusion, a'rcumvention and deception, and which 
permits processing requests 20 and data inputs 21 
to be presented to the cryptographic facility and 
transformed output 22 to be received from the 
cryptographic facility. 

The cryptographic facility at each station in the 
network configuration of Hgure 1 has a Key Gen- 
eration Function (KGF) and a Key Usage Function 
(KUF). Each key generated by a KGF has an 
associated control value C which prescribes how 
the key may be used; e.g.. encrypt only, decrypt 
only, generation of message authentication codes, 
verification of message authentication codes, etc. 
The KUF provides a key authorization function to 
ensure that a requested usage of a key complies 
with the control value C, and it also serves as an 
authentication function to ensure that a requested 
key and control value are valid before allowing the 
key to be used. Thus, the KUF is the logical 
component of the cryptographic facility that en- 
forces how keys are used at each using station, 
and in this sense, the KUFs collectively enforce the 
overall network key usage as dictated by the gen- 
erating station. 

Rgure 3 depicts three stations in the network 
configuration of Rgure 1 comprising a generating 
station and two separate using stations. Each sta- 
tion has a KGF and a KUF, although only the 
designated generating station has need to exercise 
the KGF and only the designated using stations 
have need to exercise the KUF. Thus, it will be 



appreciated that any statiori in the network configu- 
ration of Rgure 1 can act as a generating station 
for any other stations acting as using stations, and 
that a generating station may also act as one of the 

5 Intended using stations. Moreover, it will be appre- 
ciated, that this general arrangement can be ex- 
tended to cover the case where a generating sta- 
tion generates a key in several forms for distribu- 
tion to several using stations, so that the invention 

TO is not limited to only two using stations. All of these 
combinations and variations are not specifically 
shown, but it should be evident from the descrip- 
tion provided. 

Referring again to Rgure 3, there is shown a 

75 key generated at the generating station via its KGF 
in a first form with a first control value C and in a 
second form with a second control value C. which 
may be tiie same or different from tiie first control 
value C. The generated first form of the key and 

20 the first control value are transmitted to a first using 
station and the generated second form of the key 
and the second control value are transmitted to a 
second using station. Thus, the KUF at the first 
using station permits tiie received first form of ttie 

25 key to be used only in Uie manner prescribed by 
tiie received first control value and tiie KUF at the 
second using station permits tiie received second 
fomn of the key to be used only in ttie manner 
prescribed by the received second control value, 

30 which may be the same or different from the first 
control value received by \he first using station. 

It will be appreciated tiiat each form of the key 
(first form, second form, etc.) may consist of one. or 
more parameter values representing the informa- 

35 tion or data necessary to recover, regenerate or 
reconstitute a previously generated key, and tiiat 
this process of recovery or regeneration of the key, 
aitiiough not specifically shown in Rgure 3, always 
requires the use of a secret key available to. and 

40 known only to tiie receiving using station. These 
additional details are described hereinbelow. It will 
be appreciated still further that additional cryp- 
tographic values, beyond those defined as the form 
of the key and tiie control value, such as using 

45 station unique public value and key autiientication 
code, can be used in addition tiiough such are not 
all detailed herein. The purpose and use of each of 
tiiese cryptographic quantities depends on the par- 
ticular environment and application being consid- 

50 ered. The main variations are treated more fully 
below. 

The subject invention may be practiced using 
two different mettiods whereby a generating station 
can control how a cryptographic key may be used 
55 at the using station. The first method, which is 
illustrated by Rgures 10 through 19, requires each 
key and control value, and possibly otiier key- 
related data, to be authenticated via a special au- 
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thentication code before the received, recovered 
key may be used. The second method, which is 
illustrated by Rgures 20*25. couples the key and 
control value during the key generation process 
such that the key is recovered correctly at a using 
stat^ ' only if the correct control value has first 
been specified. Specification of an incorrect control 
value, in effect, causes a random, unknown key K 
to be recovered. Thus, if different, incorrect values 
of Ci and Cj are specified at using station i and j, 
where there may even be collusion between i and j, 
the keys recovered by using stations i and j will be 
spurious (i.e.. equal only by pure chance), and 
hence, no communication between using stations i 
and j with such inconrectly recovered keys is possi- 
ble. By exchanging a short verification message 
which uses the recovered keys, using stations i and 
j can therefore verify that the key has been cor- 
rectly recovered before using the key. 

Two different methods can be used whereby a 
generating station can control tiie using station or 
stations tiiat may use a distributed cryptographic 
key. Both metiiods ensure that a first using station i 
cannot use or beneficially misuse a key which has 
been designated for use at another using station j. 
In the first method, which is illustrated by Rgures 
10, 11. 12, 18, 20. 22, and 24. cryptographic sepa- 
ration among tiie keys designated for use at dif- 
ferent using stations is accomplished by using dif- 
ferent secret transport keys. Each using station 
shares a different, secret transport key (KR) with 
each generating station. Thus, at generating station 
a, transport key KRa. i is used for distribution of 
key K to using station i. whereas transport key 
KRa,j is used for distribution of key K to using 
station j. Under the key distribution procedure, a 
distributed key K and the transport key are coupled 
cryptographically such that key K is recovered cor- 
rectiy within the crytographic facility at using sta- 
tion only if the proper transport key KRa, i has first 
been initialized. Likewise, key K is recovered cor- 
rectly within tile cryptographic facility at using sta- 
tion j only if the proper transport key KRa. j has 
first been initialized. In the second method, which 
is illustrated by Rgures 13, 14. 15. 16. 17. 19. 21. 
23. and 25. cryptographic separation among tiie 
keys designated for use at different using stations 
is accomplished by assigning and associating a 
unique, nonsecret value with each using station 
which is initialized in the cryptographic facility of 
each respective using station and by sharing a 
unique, secret h'ansport key among the respective 
receiving using stations and ihe generating station. 
Thus, at generating station a, transport key KRi. j is 
used for distribution of key K to using stations i and 
j. The nonsecret or public value associated with 
each using station is designated PV, so that values 
PVi and PVj would be used for distribution of key K 



to using stations i and j. respectively. Under the 
key distribution procedure, a distiibuted key K. the 
public value PV, and tfie transport KR are coupled 
cryptographically such that key K is recovered cor- 

5 rectiy within the cryptographic facility at using sta- 
tion i only if the proper transport key KRi, j and the 
proper public value PVi have first been initialized. 
Likewise, key K is recovered correctly within the 
cryptographic facility at using station j only if tiie 

70 proper transport key KRi. j and the proper public 
value PVj have first been initialized. 

From the description above, tiiose skilled in the 
art will appreciate thai Rgures 10. 11. 12. and 18 
cover the case where key authentication is used 

75 and cryptographic separation is achieved via dif- 
ferent transport keys; Rgures 20. 22 and 24 cover 
the case where key autiientication is used and 
cryptographic separation is achieved via different 
public values associated with each using station 

20 and a common, secret transport key; Rgures 13. 
14. 15. 16. 17, and 19 cover tiie case where no key 
autiientication is used and cryptographic separation 
is achieved via different transport keys; and Rg- 
ures 21 . 23 and 25 cover the case where no key 

25 authentication is used and cryptographic separation 
is achieved via different public values associated 
with each using station in conjunction with a com- 
mon, secret transport key at each using station. 

30 

DERNITION 



Several different cryptographic functions are 
35 defined. These are designated as functions fi, f2, 
fa. fi. fs, fs. gi. ga. gs, and gs. These functions are 
used within the cryptographic facility of the gen- 
erating and using stations for the purposes of key 
generation, key recovery, and key authentication. A 
40 precise definition of each function is given below: 
1. Referring to Rgure 4, functions fi and gi 
are a pair of nonsecret cryptographic functions witii 
the following properties: 

a. fi and gi each have two inputs and one 

45 output. 

b. The notation f1(x.y) = z means that z is 
the output when fi is applied to inputs x and y. 
Likewise, the notation g1(x,z) = y means that y is 
the output when gi is applied to inputs x and z. 

so c. f 1 is such tiiat fi (x.y) depends on each 

of the inputs x and y; gi is such that g1(x,z) 
depends on each of the inputs x and z. 

d. ft and gi are such that if .f1(x,y) = z, 
then g1(x.z) = y. In effect, when the first input 

55 parameter of fi and gt are set equal, then gi 
becomes the inverse of fi. Loosely speaking, the 
fii'st input parameters of fi and gi are crypto- 
graphic keys. 
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e. f1(x,y) is easily calculated from x and y. 
Likewise. g1(x,2) is easily calculated from x and z. 

f. For any given f1(x,y) = z, where z and 
y are known and x is unknown, it is computationally 
infeasible to calculate x from y and z. Likewise, for 
any given g1(x.z) = y. where z and y are known 
and X is unknown, it is computationally infeasible to 
calculate x from y and z. N/Vith respect to the use of 
fi and gi in the present arrangement, this property 
protects the secrecy of the fixed secret crypto- 
graphic key X even if the secret distributed key y 
should be compromised. 

9. For any given f1{x,y) = z, where z is 
known and x and y are unknown, it is computation- 
ally infeasible to calculate y from z. Likewise, for 
any given g1(x.z) = y. where z is known and x and 
y are unknown, it is computationally infeasible to 
calculate y from z. This protects the secrecy of the 
dynamically distributed secret key y. 

h. For any given f1(x.y) = z. where z is 
known and x and y are unknown, it is computation- 
ally infeasible to find a y' and z . where z may be 
equal to z, which satisfy the relationship f1{x.y') = 
z'. Likewise, for any given g1(x,2) = y. where z is 
known and x and y are unknown, it is computation- 
ally infeasible to find a y' and a z\ where z may 
be equal to z. which satisfy the relationship g1(x.z ) 
= y'. This prevents an opponent from forging a 
dynamically distributed key y that will be accepted 
by a using station. 

2. Refem'ng to Rgure 5. function fa is a 
nonsecret cryptographic function with the following 
properties: 

a. f2 has two inputs and one output. 

b. The notation f2(x,y) = z means that z is 
the output when is applied to inputs x and y. 

c. h is such tfiat f2{x.y) depends on each 
of the inputs x and y. 

d. f2(x,y) is easily calculated from x and y. 

e. For any given f2(x.y) = z. where y and 
z are known and x is unknown, it is computationally 
infeasible to calculate x from y and z. This protects 
tiie secrecy of the dynamically distributed secret 
key X. 

f. For any given f2(x,y) = z, where y and 
z are known and x is unknown, it is computationally 
infeasible to find a y' * y and a z . where z may 
be equal to z, such thatf2(x.y') = z'. This prevents 
an opponent from forging a control value C and an 
authentication code tiiat will be properly autiien- 
ticated and accepted by a using station. 

3. Referring to Rgure 6, functions fa and ga 
are a pair of nonsecret cryptographic functions with 
the following properties: 

a. fa and ga each have two inputs and one 

output 



b. The notation f3(x,y) = z means that z is 
the output when fa is applied to inputs x and y. 
Likewise, the notation g3{x.z) = k means ttiat k is 
tfie output when ga is applied to inputs x and z. 

5 The value of k is the dynamically produced secret 
key being distributed. 

c. fa is such that f3{x,y) depends on input 
y, but may or may not depend on input x. This 
distinguishes function fa from function fi . 

10 d. Unlike functions.fi and gi . where f1(x,y) 

= z implies that g1(x,z) = y, functions fa and ga 
are such that f3(x.y) = z does not imply that g3- 
(x,z) = y. This property may or may not hold for fa 
and ga. The critical feature here is that fa and ga 

75 are less restrictive than functions f i and gi , where- 
as, at the same time, tiiey are such that the secret 
key k can be dynamically produced, distributed 
and recovered because of tine guaranteed func- 
tional relationship g3(x,f3(x,y)) = k. In effect, fa and 

20 ga permit a key distribution using one way func- 
tions ratiier than by using encryption and decryp- 
tion, which are, by definition, reversible or two way 
functions. 

e. f3(x,y) is easily calculated from x and y. 
25 Likewise. g3(x,z) is easily calculated from x and z. 

f. For any given f3(x,y) ~ z. where z and 
y are known and x is unknown, it is computationally 
infeasible to calculate x from y and z. Likewise, for . 
any given g3(x.z) = k, where z and k are known 

30 and x is unknown, it is computationally infeasible to 
calculate x from k and z. This protects the secrecy 
of tiie fixed secret cryptographic key x even if tiie 
secret distribution key y should become compro- 
mised. 

35 g. For any given g3(x,z) = k. where z is 

known and x and k are unknown, it is computation- 
ally infeasible to calculate k from z. This protects 
tiie secrecy of the dynamically distributed secret 
key k. 

40 h. If function fa is such that k can be 

derived easily from y, or from y and other non- 
secret data presumed available, then for any given 
f3(x,y) = z. where z is known and x and y are 
unknown, it is computationally infeasible to cal- 

45 cuiate y from z. Again, this protects the secrecy of 
the dynamically distributed secret key k. 

i. For any given g3(x.z) = k. where z is 
known and x and k are unknown, it is computation- 
ally infeasible to find a z and k which satisfy the 

50 relationship g3(x,z') = k. This prevents an oppo- 
nent from forging a dynamically distributed key k 
that will be accepted by a using station. 

j. If function fa is such tiiat k can be 
derived easily from y, or from y and other non- 

55 secret data presumed available, then for any given 
f3(x,y) = z, where z is known and x and y are 
unknown, it is computationally infeasible to find a 
y and z , where z may be equal to z. which 
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satisfy the relationship f3{x,y') = z'. Again, this 
prevents an opponent from forging a dynamically 
distributed key k that will be accepted by a using 
station. 

4. Referring to Rgure 7, function f* is a 
nonsecret cryptographic function with the following 
properties: 

a. f* has three inputs and one output 

b. The notation f4{w^,y) = means that z 
is the output when fi is applied to inputs w. x and 

y- 

c. f* is such that f4(wp(,y) depends on 
each of the inputs w. x and y. 

d. f4(w.x.y) is easily computed from w. x 

and y. 

e. For any given f4{w,x,y) = z, where x. y 
and z are known and w is unknown, it is computa- 
tionally infeasible to calculate w from x. y and z. 
This protects the secrecy of the dynamically dis- 
tributed secret key w. 

f. For any given f4{w.x,y) = z, where x, y 
and z are known and w is unknown, it is computa- 
tionally infeasible to find an x . y and z . where x 
or y' or both x and y are different from x and y, 
respectively, which satisfy the relationship f4- 
(w.x',y') = z . This prevents an opponent from 
forging a control value C and an authentication 
code for given pubic value PV, which will be prop- 
erly authenticated and accepted by a using station. 

5. Referring to Rgure 8, functions fs and gs 
are a pair of nonsecret cryptographic functions with 
the following properties: 

a. h and gs each have three inputs and 
one output. 

b. The notation f5(w.x.y) = z means that z 
is the output when h is applied to inputs w, x and 
y. Likewise, the notation g5(w.x,2) = y means that 
y is the output when gs is applied to inputs w, x 
and z. 

c. fs is such that f5 {w.x,y) depends on 
each of the inputs w. x and y. gs is such that g5- 
(w,x,y) depends on each of the inputs w, x and z. 

d. fs and gs are such that if f5(w.x.y) = z, 
then g5(w.x.z) = y. In effect, when the first and 
second input parameters of fs and gs are set equal, 
then gs becomes the inverse of fs. For practical 
purposes, the input parameter w in functions fs and 
gs is a fixed secret cryptographic key. 

e. f5(w,x.y) is easily calculated from w, x 
and y. Likewise. g5{w,x.y) is easily calculated from 
w, X and z. 

f. For any given f5(w,x,y) = z, where z. x 
and y are known and w is unknown, it is computa- 
tionally infeasible to calculate w from z. x and y. 
Likewise, for any given g5(w.x,2) = y, where z, x 
and y are known and w is unknown, it is computa- 
tionally infeasible to calculate w from z, x and y. 



This protects the secrecy of the fixed secret cryp- 
tographic key w even if the secret distributed key y 
should become compromised. 

g. For any given f5(w,x.y) = z, where z 
5 and X are known and w and y are unknown, it is 

computationally infeasible to calculate y from z and 
X. Ukewise, for any given g5(w,x.z) = y, where z 
and X are known and w and y are unknown, it is 
computationally infeasible to calculate y from z and 
70 X. This protects the secrecy of the dynamically 
distributed secret key y. 

h. For any given f5(w,x,y) = z. where z 
and X are known and w and y are unknown. It is 
computationally infeasible to find an x , y and z . 

75 where z may be equal to z but x or y or both x 
and y are different hrom x and y, respectively, 
which satisfy the relationship re{w.x ,y) = z . Like- 
wise, for any given g5{w.x.2) = y. where z and x 
are known and w and y are unknown, it is computa- 

20 tionally infeasible to find an x'. y' and z'. where z 
may be equal to z but x' or y' or botii x' and y' are 
different from x and y. respectively, which satisfies 
the relationship g5(wp< .z ) = y . This prevents an 
opponent firom forging a dynamically distributed 

25 key y or a control value x or both which would be 
accepted by a using station. 

6. Referring to Rgure 9. functions k and 
are a pair of nonsecret cryptographic functions wr^ 
the following properties: 

30 a. fs and gs each have four inpufe and orte 

output. 

b. The notation f6(v.w.x.y) = z means tiiat 
z is tiie output when fs is applied to inputs v, w. x, 
and y. Likewise, tiie notation g6(v.w,x,2) = y 

35 means tiiat y is the output when gs is applied to 
inputs V. w, X. and z. 

c. fs is such tiiat f6(v,w.x,y) depends on 
each of the inputs v, w. x. and y. gs is such tiiat 
g6(v.w,x,2) depends on each of the inputs v, w, x, 

40 and z. 

d. fs and gs are such that if f6(v,w,x,y) = 
z. tiien g6(v.w,x.z) = y. In effect, when tiie first, 
second and tiiird input parameters of fs and gs are 
set equal, then gs becomes tfie inverse of fs. For 

45 practical purposes, tiie input parameter v in func- 
tions fs and gs is a fixed secret cryptographic key. 

e. f6{v.w,x.y) is easily calculated from v. 
w. X and y. Likewise, g6(v.w,x.z) is easily calculated 
from V. w. X, and z. 

50 f. For any given f6(v.w,x.y) = z, where z. 

w. X. and y are known and v is unknown, it is 
computationally infeasible to calculate v from z. w. 
X. and y. Likewise, for any given g6(v.w.x.z) = y. 
where z, w. x. and y are known and v is unknown. 

55 it is computationally infeasible to calculate v from 
2. w. x. and y. This protects the secrecy of ttie 
fixed secret cryptographic key w even if tfie secret 
distributed key y should become compromised. 
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g. For any given f6(v,w^,y) = 2, where z, 
w and X are known and v and y are unknown, it is 
computationally infeasibie to calculate y from z. w 
and X. Likewise, for any given g6(v,wj(,2) = y. 
where z, w and x are known and v and y are 
unknown, it is computationally infeasibie to cal- 
culate y from z, w and x. This protects the secrecy 
of the dynamically distributed secret key y. 

h. For any given f6(v.wp(,y) = z, where z. 
y and x are known and v and y are unknown, it is 
computationally infeasibie to find a w', x', y', and 
z . where z may be equal to z but w or x or y or 
some combination thereof are different from w. x 
and y, respectively, which satisfy the relationship 
f6(v,w PC ,y ) = z . Likewise for any given gS- 
(v,w.x.z) = y. where z. w and x are known and v 
and y are unknown, it is computationally infeasibie 
to find a w , X . y and z , where z may be equal to 
2 but w or X or y or some combination thereof 
are different from w, x and y, respectively, which 
satisfy the relationship g6{v,w'y,z') = y. This 
prevents an opponent from forging a dynamically 
distributed key y or a control value x or both for a 
given using station with associated public value PV. 

i. For any given g6(v,w,x,z) = yr where w. 
x and z are known and v and y are unknown, it is 
computationally infeasibie Jo find a w', w". x', x". 
z\ and z". where w' * w" and x' and x" are two 
different legitimate values of PV, which satisfy the 
relationship g6(v.w'.x',z') ~ g6 {y/,Yf",x'^\ Note 
that the value of function gs evaluated with inputs 
V. w', x', and z' or with inputs, v. w", x", and z" 
does not need to be known. This property prevents 
a special type of insider attack where two system 
users collude to constaict alternate inputs with dif- 
ferent control values that will allow the same dis- 
tributed secret key y = y" to be initialized at two 
different using stations whose associated public 
values are x and x . even though the users them- 
selves do not know the value of y' = y". This 
specific property is needed since the generating 
station uses the same value of v in function U 
when calculating the first and second forms of the 
key to be distributed to two different using stations. 

Example embodiments for functions fi through 
h, gi, g3, gs, and gs which satisfy the functional 
definitions given above are provided in Rgures 11, 
12. 15. 16, 17. 22. and 23. These are described in 
more detail hereinafter. 



DESCRIPTION OF THE PREFERRED EMBODI- 
MENTS 



Referring now to Rgure 10, a first embodiment 
of a generating station is shown wherein a first and 
second form of a key K are generated via a first 



function fi and a first and second key authentica- 
tion code are generated via a second function fa. In 
Rgure 10, tiiere is shown a data base 100 and a 
cryptographic facility 110 containing a command 

5 decoder 115, a random key generator 120. a gen- 
erate key function 130, a command port 140. an 
input port 145. and an output port 150. Each using 
station i shares a unique secret transport key, KRi. 
witii tile generating station, which is used by tiie 

70 generating station to encrypt and forward data keys 
to that using station. These transport keys, KRI. 
KR2, .... KRn. are encrypted under a prescribed 
variant of the master key of tiie generating station, 
km', and this list of encrypted transport keys. 

15 which is indexed by the IDs of the using stations, is 
stored in data base 100. 

Those skilled in tiie art will understand that the 
generating station also has a central processing 
unit (CPU) which manages and controls the key 

20 generation process. The CPU (not shown) deter- 
mines tiie IDs of tiie using stations for which keys 
are to be generated, it determines the control val- 
ues associated witii tiie keys for each using station, 
it accesses encrypted transport keys from the data 

25 base 100, and it issues generate key commands to 
the cryptographic facility 110 together witii tiie ap- 
propriate control values and encrypted keys. Since 
CPUs and the processes perfonmed by tiiem in this 
context are well known in tiie art no further de- 

30 scription of ttie CPU and the operations performed 
by it are needed for an understanding of the 
present invention. 

The steps involved in generating a data key K 
for using stations i and j can be traced in Rgure 

35 10. The CPU first detennines that a data key is to 
be distributed to using stations i and j. i.e., witii 
identifiers IDi and IDj. and that the control values at 
using stations i and j are Ci and Cj, respectively. 
- The identifiers IDi and IDj are used via line 160 to 

40 access tiie encrypted transport keys eKM' (KRi) 
and eKM' (KRj), from data base 100, and tiiese 
encrypted keys are read out on line 165. A 
"generate key" command on line 170 is input to 
command port 140 of tiie cryptographic facility. 

45 The encrypted transport keys, eKM' (KRi) and 
eKM (KRj), and tiie control values, Ci and Cj, are 
presented as data inputs at input port 145. In 
response to tiie "generate key" command, tiie 
command decoder at 115 produces an active gen- 

50 erate key function on line 125. which enables tiie 
generate key function 130. Once enabled, the gen- 
erate key function 130 will accept inputs Cj, oKM' - 
. (KRj). Ci, and eKM' (KRi). from input port 145 and 
a random data key K from random key generator 

55 120. 

The inputs are processed as follows. The value 
eKM' (KRi)^ is decrypted at 131 under master key 
variant KM'. KM' is a dynamically generated vari- 
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ant of the master key, KM, where KM is stored in 
the key and parameter storage of the cryptographic 
facility 110. as shown in Rgure 2. and is available 
for use by the generate key function 130. The 
decrypted output KRi and the data key K are 
processed via combining function fi at 133 to pro- 
duce output fl(KRi,K). The data key K and the 
input control value Ci are processed via combining 
function f2 at 134 to produce output f2(K.Ci). The 
value eKM' (KRj) is decrypted at 132 under master 
key variant KM'. The decrypted output KRj and the 
data key K are processed via combining function fi 
at 135 to produce output fl(KRj.K). The data key K 
and the input control value Cj are processed via 
combining function h at 136 to produce output f2- 
(K.Cj). The four values fl(KRi.K), f2{K;Ci), fl(KRj.K). 
and f2(K,Cj) are then presented as outputs at out- 
put port 150, and appear on lines 151, 152. 153. 
and 154, respectively. 

Those skilled in the art will understand that the 
serial data represented by fl(KRi.K) on line 151 
and the serial data f2(K,Ci) on line 152 are loaded 
into respective shift registers and are read out in 
parallel to an output buffer. The output buffer is 
loaded in parallel with a header and synchronizing 
data from another register. The data in the output 
buffer is then read out sericilly and sent to using 
station I over a communication link in a conven- 
tional manner. In like manner, the serial data repre- 
sented by fl(KRj.K) on line 153 and the serial data 
f2(K,Cj) on line 154 are loaded into respective shift 
registers and are read out into an output buffer. 
The output buffer has a header and synchronizing 
data The data in the output buffer is then read out 
and sent to using station j. Obviously, the output 
shift registers and buffer may be multiplexed to 
sequentially transmit data first to using station i and 
then to using station j. 

Rgure 11 shows an example of an embodi- 
ment for the function ft. As defined, fi has two 
inputs and one output The inputs K and KR. fi 
comprises an encryption facility E whereby input K 
is encrypted with KR to provide an output eKR(K). 

Rgure 12 shows an example of an embodi- 
ment for the function f2. As defined, fa has two 
inputs and one output. In this case, the inputs are 
K and C. fa comprises an encryption facility E 
whereby input C is encrypted with K. fa also com- 
prises an exclusive OR logic which combines the 
output of the encryption facility with C to produce 
the output eK{C) ® C. 

Referring now to Rgure 13. a second embodi- 
ment of a generating station is shown wherein a 
first and second form of a key K are generated via 
a third function h and a first and second key 
authentication code are generated via a fourth func- 
tion ga, which is related to function fa. and a fourth 
function f^. In Rgure 13. there is shown a data 



base 200 of encrypted keys, a data base 205 of 
public values, and a cryptographic facility 210 con- 
taining a command decoder 215. a random number 
generator 220. a generate key function 230, a com- 

5 mand port 240. an input port 245. and an output 
port 250. Each pair of using stations i and j that 
can communicate share a common secret transport 
key KRij, which is also shared with the generating 
station. The generating station uses KRij to gen- 

10 erate certain cryptovariables which are then sent to 
using stations i and j. These received cryptovaria- 
bles are sufficient to allow using stations i and j to 
regenerate a common data key K. By referring to 
the combining functions fa and ga. it will be more 

15 fully appreciated that key distribution is accom- 
plished, loosely speaking, via one-way functions 
instead of using a method of encrypting K at the 
generating station and decryption to recover K at 
the receiving using stations. These transport keys. 

20 KRI .2, KRI ,3 KRn.n-1. are encrypted under a 

prescribed variant of the master key of the generat- 
ing station. Km'. and this list of encrypted transport 
keys, which is indexed by the respective IDs of the 
using stations, is stored in data base 200. 

25 Also .associated with each using station i is a 
public value, PVi. These public values are used to 
cryptographically distinguish and separate the 
cryptovariables designated for and transmitted to 
each respective using station, and the procedure 

30 for key distribution is such that the cryptovariables 
produced and sent to using station i cannot be 
beneficially used or misused at another using sta- 
tion j. These public values PVI. PV2, .... PVn. 
indexed by the ID of the using station, are stored in 

35 data base 205. 

The generating station also has a central pro- 
cessing unit (CPU) which manages and controls 
the key generation process. The CPU determines 
the IDs of the using stations for which keys are to 

40 be generated, it determines the control values as- 
sociated with the keys for each using station, it 
accesses encrypted keys and public values from 
the data base, and it issues generate key com- 
mands to the cryptographic facility together with 

45 the appropriate control values, public values, and 
encrypted keys. 

The steps involved in generating a data key K 
for using stations i and j can be traced in Rgure 
13. The CPU first determines that a data key is to 

50 be distributed to using stations i and j, i.e., with 
identifiers IDi and IDj, that the control values at 
using stations i and j are Ci and Cj, respectively, 
and that the public values at using stations i and j 
are PVi and PVj, respectively. The identifiers IDi 

55 and IDj are used via line 260 to access the encryp- 
ted transport key oKM' (KRij) from data base 200. 
and this encrypted key is read out on line 261 . The 
identifiers IDi and IDj are also used via line 262 .to 
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access the public values PVi and PVj from data 
base 205, and these public values are read out on 
line 263. A "generate key" command on line 270 is 
input to command port 240 of the cryptographic 
facility 210. The encrypted transport key eKW' - 
(KRi,i). the public values PVi and PVj, and the 
control values Ci and Cj are presented as data 
inputs at input port 245. In response to the 
"generate key" command, the command decoder 
215 produces an active generate key function on 
line 225. which enables the generate key function 
230. Once enabled, the generate key function 230 
will accept the inputs eKM' (KRij). PVj, Cj, PVi, and 
Ci from input port 245 and a random number RN 
from random number generator 220. 

The inputs are processed as follows. The value 
eKM' (KRij) is decrypted at 231 under master key 
variant KM . KM' is a dynamically generated vari- 
ant of the master key, KM, where KM is stored in 
the key and parameter storage of the cryptographic 
facility, as shown in Rgure 2. and is available for 
use by the generate key function 230. The decryp- 
ted output KRij and the- random number RN are 
processed via combining function fa at 232 to pro- 
duce output -f3{KRij,RN). The decrypted output KRij 
and the so-produced output f3(KRij,RN) are pro- 
cessed via combining function ga at 233 to pro- 
duce output data key K. The data key K, the input 
control value Ci, and the input public value PVi are 
processed via combining function f* at 234 to pro- 
duce output f4(K,Ci,PVi), and the data key K, the 
input control value Cj, and the input public value 
PVj are processed via combining function f^ at 235 
to produce output f4(K,Cj.PVj). The three values f3- 
(KRij,RN), f4(K,Ci.PVi). and f4(K,Cj.PVj) are then 
presented as outputs at output port 250 and appear 
on output lines 251, 252 and 253, respectively. 

The serial data represented by f4(K,CI.PVi) on 
line 252 and the serial data f3(KRij.RN) on line 251 
are loaded into respective shift registers and are 
read out in parallel to an output buffer. The output 
buffer is loaded with a header and synchronizing 
data from another register. The data is the output 
buffer is then read out serially and sent to using 
station i. In like manner, the serial data represented 
by f4{K,Cj,PVj) on line 253 and the serial data f3- 
(KRij.RN) on the line 251 are loaded into respective 
shift registers and are read out in parallel to the 
output buffer. The output buffer is loaded with a 
header and synchronizing data from another regis- 
ter. The data in the output buffer is read out serially 
and transmitted to using station j. 

Rgure 14 shows an example of an embodi- 
ment of the functions fa and ga. As defined, each 
of these functions has two inputs and one output. 
In the case of fa, the inputs are KR and RN; 
however, the output is a straight through connec- 
tion of the input RN. In the case of ga, the inputs 



are again KR and RN. ga comprises an encryption 
facility E in which RN is encrypted under KR. ga 
also comprises an exclusive OR logic which com- 
bines the output of the encryption facility E with the 

5 input RN to produce the output eKR(RN) e RN. 
where eKR(RN) ® RN is defined as the data key K. 

Rgure 15 shows another example of an em- 
bodiment of the functions fa and ga. In this case, fa 
comprises an encryption facility E which encrypts 

10 RN under KR to produce the output eKR{RN). ga 
comprises a decryption facility D which decrypts 
eKR(RN) under KR to produce RN as the output 
where RN is defined as the data key K. 

Rgure 16 shows an example of an embodi- 

75 ment of the function f4. By definition. U has three 
inputs and one output The inputs are K, C and PV. 
U comprises first and second encryption facilities E 
and exclusive OR logic. The first encryption facility 
encrypts C under K to produce eK(C) which is 

20 combined in the exclusive OR logic with PV to 
produce eK(C) e PV. The output of the exclusive 
OR logic is encrypted under the second encryption 
facility to produce to output function f4(K,C.PV). 
Rgure 17 shows another example of an em- 

25 bodiment of the function f*. In this example, there 
are three encryption facilities and three exclusive 
OR logics. The first encryption fadlity encrypts K 
under Kl, where Kl is a fixed nonsecret key, to 
produce eKI(K) which is exclusive ORed with K to 

30 yield eKI(K) e K. This output which will be referred 
to as Kl, is used to encrypt C in the second 
encryption facility, the output of which is exclusive 
ORed with C to produce eK1(C) e C. This output 
which will be referred to as K2, is in turn used to 

35 encrypt PV in the third encryption facility, the out- 
put of which is exclusive ORed with PV to provide 
the output eK2(PV) e PV = f4(K,C,PV). 

Referring now to Rgure 18. there is shown a 
first embodiment of a using station related to the 

40 first embodiment of the generating station shown in 
Rgure 10 wherein the received key K is recovered 
via a function gi, which is related to the function fi , 
and wherein the received key authentication code 
is authenticated via the function fa. Rgure 18 

45 shows a data base 300 and a cryptographic facility 
310 containing a command decoder 315. and 
"operation allowed" procedure 320, an "abort op- 
eration" procedure 327. a check procedure 330. a 
command port 340. an input port 345, an output 

50 port 350, and microcode 380 to perform a re- 
quested operation. Each using station i shares a 
unique secret transport key, KRi. with the genera- 
tion station, which is used by the receiving station 
to receive encrypted data keys from the generating 

55 station. The transport keys shared with each gen- 
erating station are encrypted under a prescribed 
variant of the master key of the using station, KM , 
and these encrypted transport keys are stored in 
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data base 300. If there were only one generating 
station and one key shared with that generation 
station, then there would be only one encrypted 
transport key in data base 300. The encrypted 
transport keys in data base 300 are indexed by an 
identifier, here referred to as "ID of KR", which 
uniquely identifies each key in the list Thus, in 
Rgure 18. "ID of KRi" refers to a particular KRi 
which using station i has shared with the generat- 
ing station, and is the same KRi used by the 
generating station to communicate with using sta* 
tion i. 

The using station also has a central processing 
unit (CPU) which manages and controls the key 
recovery and key usage process. The CPU (not 
shown) receives a formatted message from the 
generating station, which contains the ID of the 
generating station, the IDi of the intended receiving 
station, tiie 10 of KRi, a conti-ol value Ci, a first 
value f1(KRi,K), and a second value f2(K.Ci). The 
CPU parses messages received from the generat- 
ing station, extracts data parameters, accesses en- 
crypted transport keys from its data base, and 
presents key and data parameters to the cryp- 
tographic facility 310 in conjunction with requested 
cryptographic operations. 

The steps involved in using a data key K at 
using station i can be traced in Rgure 18. The CPU 
first determines that a received data key K is to be 
used in a specific requested cryptographic opera- 
tion. Using tiie received value of "ID of KRi". \he 
encrypted transport key eKM'(KRI) is accessed 
from tiie data base 300 via line 360. and the 
encrypted key is read out on line 365. A requested 
operation on line 370 is input to command port 340 
of tiie cryptographic facility. The encrypted trans- 
port key eKM (KRi) accessed from data base 300. 
tiie control value Ci, value f1(KRi,K), and value f2- 
(K,Ci) extracted from the received message, and 
other inputs necessary to the requested crypto- 
graphic operation, are presented as data inputs at 
input port 345. In response to the requested opera- 
tion, the command decoder 315 activates the 
^'operation allowed" procedure 320. Once enabled, 
tiie "operation allowed" procedure 320 will accept 
inputs f2(K.Ci). Ci. f1(KRi,K). and eKM'(KRi) from 
input port 345. These inputs are temporarily stored 
in the cryptographic facility 310. Using the just 
read value of Ci, the "operation allowed" procedure 
320 determines whether the usage of data key K in 
tiie requested operation is autiiorized or granted on 
the basis of data in the control value Ci. If so, then 
the "operation allowed" procedure 320 produces 
an activate check procedure on line 325 that en- 
ables tiie check procedure 330. If tiie use is not 
authorized, tiien the "operation allowed" procedure 
320 produces an activate abort on line 326. Once 
enabled, the abort operation 327 erases the inputs 



read from input port 345 and temporarily stored in 
the cryptographic facility 310 and enables anotiier 
requested operation via command port 340. Once 
enabled, the check procedure 330 will accept in- 
5 puts f2{K.Ci), Ci, fl(KRI.K). and eKM'(KRi). which 
have been temporarily stored in tiie cryptographic 
facility 310. 

The inputs are processed as follows. The value 
eKM'(KRi) is decrypted at 331 under master key 
10 variant KM . KM is a dynamically generated vari- 
ant of tiie master key KM, where KM is stored in 
tiie key and parameter storage of tiie cryptographic 
facility 310, as shown in Rgure 2, and is available 
for use by the check procedure 330. The decryp- 
ts ted output KRi and the input value fl(KRi.K) are 
processed via combining function gi at 332 to 
produce output data key K. The so-produced data 
key K and the input control value Ci are processed 
via combining function fa at 333 to produce output 
20 f2(K,Ci). The so-produced value f2{K,Ci) and the 
input value f2(K.Ci) are compared for equality at 
334. If not equal, then an activate abort operation is 
produced on line 328. If equal, then an activate 
"microcode to perform requested operation" is pro- 
25 duced on line 329. Once enabled, tiie abort opera- 
tion 327 erases tfie inputs read from input port 346 
and temporarily stored in tiie cryptographic facility 
310 and enables anotiier requested operation via 
command port 340. Once enabled, the microcode 
30 to perform requested operation 380 will accept 
input to requested operation on line 381 via input 
port 345 and tiie so-produced data key K on line 
382. which is the output from combining function 
gi at 332. The requested operation is tiien per- 
35 formed at 380 using tiiese key and data inputs. 
The output of tiie requested operation 380 is tiien 
presented at output port 250 and appears on line 
383. 

Referring now to Rgure 19. there is shown a 

40 second embodiment of a using station related to 
the second embodiment of tiie generating station 
shown in Rgure 13 wherein the data key K is 
regenerated or recovered via a function ga, which 
is related to function fa, and wherein the received 

45 key authentication code is authenticated via tiie 
function f4. Rgure 19 shows a data base 400 and a 
cryptographic facility 410 containing a command 
decoder 415, an "operation allowed" procedure 
420, an "abort operation" procedure 427. a check 

50 procedure 430. a command port 440, an input port 
445. an output port 450, and microcode to perform 
requested operation 480. Each pair of using sta- 
tions i and j share a unique secret transport key, 
KRi.j. which is also shared witii the generating 

55 station. The transport key KRij is used by using 
station i to recover or regenerate data keys from 
information received from a generating station, 
where the so-recovered or so-regenerated data 

13 
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keys will be used for communication with using 
station j, and vice versa The transport keys shared 
in common with each other using station, and also 
with the generating station, are encrypted under a 
prescribed variant of the master key of the receiv- 
ing station. KM', and these encrypted transport 
keys are stored in data base 400. The encrypted 
transport keys in data b^ase 400 are indexed by an 
identifier which uniiquely relates the key to using 
station j. Thus, in Rgure 19. the term "ID of KRij" 
is the identifier of KRij. which is tfie transport key 
that using station i shared with using station j. 

The using station also has a central processing 
unit (CPU) which manages and controls tiie key 
recovery and key usage process. The CPU re- 
ceives a formatted message from the generating 
station, which contains the ID of the generating 
station, the IDi of the intended using station, the ID 
of KRij. a control value Ci, a first value f4(K.Ci.PVi), 
and a second value f3(KRij.RN). The CPU parses 
messages received from the generating station, 
extracts data parameters, accesses encrypted 
transport keys from its data base, and presents key 
and data parameters to the cryptographic facility 
410 in conjunction with requested cryptographic 
operations. 

The steps involved in using a data key K at 
using station i can be traced in Rgure 19. The CPU 
first determines tiiat a received data key K is to be 
used in a specific requested cryptographic opera- 
tion. Using ttie received value of "ID of KRij", ttie 
encrypted transport key eKM (KRij) is accessed 
from the data base 400 via line 460, and the 
encrypted key is read out on line 465. A requested 
operation on line 470 is input to command port 440 
of tiie cryptographic facility 410. The encrypted 
transport key eKM'(KRii) accessed from data base 
400. the value f4(K,Ci,PVi). control value Ci, and 
value f3(KRij.RN) extracted from tiie received mes- 
sage, and otiier inputs necessary to the requested 
cryptographic operation but not received in the 
same message from the generating station, are 
presented as data Inputs at input port 445. In 
response to the requested operation, the command 
decoder at 415 activates tiie "operation allowed" 
procedure 420. Once enabled, tiie "operation al- 
lowed" procedure 420 will accept inputs f4- 
(K,Ci.PVi), Ci. f3(KRij.RN) and eKM'(KRij) from in- 
put port 445. These inputs are temporarily stored in 
tiie cryptographic facility 410. Using the just read 
value of Ci. tiie "operation allowed" procedure de- 
termines whether the usage of data key K in the 
requested operation is authorized or granted on the 
basis of data in the control value Ci. If so, then the 
"operation allowed" produces an activate check 
procedure on line 425. which enables the check 
procedure 430. If not. then the "operation allowed" 
procedure 420 produces an activate abort opera- 



tion on line 426. Once enabled, tiie abort operation 
427 erases tiie inputs read from input port 445 and 
temporarily stored in tiie cryptographic facility 410 
and enables another requested operation via com- 

5 mand port 440. Once enabled, the check proce- 
dure 430 will accept inputs f4(K.Ci.PVi). Ci, f3- 
(KRij.RN). and eKM'(KRij) which have been tem- 
porily stored in tiie cryptographic facility 410. 

The inputs are processed as follows. The value 

70 eKM'(KRij) is decrypted at 431 under master key 
variant KM'. KM' is a dynamically generated vari- 
ant of the master key KM. where KM is stored in 
the key and parameter storage of ttie cryptographic 
facility 410. as shown in Rgure 2. and is available 

rs for use by tfie check procedure 430. The decryp- 
ted output KRij and tiie input value f3(KRij,RN) are 
processed via combining function ga at 432 to 
produce output data key K. The so-produced data 
key K, tiie input control value Ci, and public value 

20 PVt are processed via combining function f^ at 433 
to produce output f4(K,Ci.PVi). The public value 
PVi associated with using station i is stored in the 
key and parameter storage of the cryptographic 
facility 410, as shown in Rgure 2, and is available 

25 for use by the check procedure 430. The so- 
produced value f4(K,Ci,PVi) and the input value f4- 
(K,Ci.PVi) are compared for equality at 434. If not 
equal, then an activate abort operation is produced 
on line 428; but if equal, an activate "microcode to 

30 perform requested operation" is produced on line 
429. Once enabled, tiie abort operation 427 erases 
the inputs read from input port 445 and temporarily 
stored in tiie cryptographic facility 410 and enables 
another requested operation via command port 

35 440. Once enabled, tiie microcode to perform re- 
quested operation 480 will accept input to request- 
ed operation on line 481 via input port 445 and the 
so-produced key K on line 482. which is tiie output 
from combining function ga at 432. The requested 

40 operation is then performed at 480 using these key 
and data inputs. The output of the requested op- 
eration 480 is tiien presented at output port 450 
and appears on line 483. 

Referring now to Rgure 20. there is shown a 

45 third embodiment of a generating station wherein a 
first and second form of a key K are generated via 
a fiftii function fs. In Rgure 20. tiiere is shown a 
data base 500 and a cryptographic facility 510 
containing a command decoder 515, a random key 

50 generator 520, a generate key function 530, a com- 
mand port 540. an input port 545. and an output 
port 550. Each using station i shares a unique 
secret transport key, KRi. witti tiie generating sta- 
tion, which is used by the generating station to 

55 encrypt and forward data keys to tiiat using station. 
These transport keys, KRI. KR2 KRn. are en- 
crypted under a prescribed variant of the master 
key of the generating station, KM . and this list of 
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encrypted transport keys, which is indexed by the 
IDs of the using stations, is stored in data base 
500. 

The generating station also has a central pro- 
cessing unit (CPU) which manages and controls 
the key generation process. The CPU determines 
the IDs of the using station for which keys are to 
be generated, it determines the control values as- 
sociated with the keys for each using station, it 
accesses encrypted keys from the data base, and 
it issues generate key commands to the cryp- 
tographic facility together with the appropriate con- 
trol values and encrypted keys. 

The steps involved in generating a data key K 
for using stations i and j can be traced in Rgure 
20. The CPU first determines that a data key is to 
be distributed to using stations i and j, i.e., with 
identifiers IDi and lOj, and that the control values at 
using stations i and j are Ci and Cj, respectively. 
The identifiers IDi and IDj are used via line 560 to 
access the encrypted transport keys, eKM'(KRi) 
and eKM'(KRj). from the data base 500, and these 
encrypted keys are read out on line 565. A 
"generate key" command on line 570 is input to 
command port 540 of the cryptographic facility 
510. The encrypted transport keys. eKM'(KRi) and 
eKM'(KRj), and the control values Ci and Cj. are 
presented as data inputs at input port 545. In 
response to the "generate key" command, the 
command decoder 515 produces an active gen- 
erate key function on line 525, which enables the 
generate key function 530. Once enabled, the gen- 
erate key function 530 will accept inputs Cj, eKM - 
(KRj). Ci, and eKM'(KRi) from input port 545 and a 
random data key K from random key generator 
520. 

The inputs are processed as follows. The value 
eKM'(KRi) is decrypted at 531 under master key 
variant KM'. Km' is a dynamically generated vari- 
ant of the master key KM. where KM is stored in 
-the key and parameter storage of the cryptographic 
facility 510, as shown in Rgure 2, and is available 
for use by the generate key function 530. The 
decrypted output KRi, the control value Ci. and the 
data key K are processed via combining function fs 
at 533 to produce output f5(KRi,Ci,K). The value 
eKM (KRj) is decrypted at 532 under master key 
variant KM . The decrypted output KRj. the control 
value Cj, and K are processed via combining func- 
tion fs at 534 to produce output f5{KRj.C].K). The 
two values f5(KRi.Ci,K) and f5{KRi,Cj.K) are then 
presented as outputs at output port 550 and appear 
on output lines 551 and 552, respectively. 

The serial data represented by f5(KRi.Ci.K) on 
line 531 is loaded into a shift register and read out 
into an output buffer. The output buffer is also 
loaded with a header and synchronizing data The 
data in the output buffer is then read out serially 



and sent to using station i. In like manner, the 
serial data represented by f5(KRj,Ci.K) on line 552 
is loaded into a shift register and read out into an 
output buffer. The output buffer is also loaded with 

5 a header and synchronizing data. The data in the 
output buffer is then read out serially and sent to 
using station j. 

Referring now to Rgure 21, there is shown a 
fourth embodiment of a generating station wherein 

70 a first and second form of a key K are generated 
via a sixth function fs. In Rgure 21, there is shown 
a data base 600 of encrypted transport keys, a 
data base of public values 605, and a crypto- 
graphic facility 610 containing a command decoder 

75 615. a random key generator 620. a generate key 
function 630, a command port 640, an input port 
645, and an output port 650. Each pair of using 
stations i and j that can communicate share a 
common secret transport key KRij. which is also 

20 shared with the generated station. The generating 
station uses KRij to encrypt and fon^^ard data keys 
to using stations i and j. These transport keys, 

KRI .2. KRI .3 KRn,n-1. are encrypted under a 

prescribed variant of the master key of the generat- 

25 ing station, KM', and this list of encrypted transport 
keys, which is indexed by the respective IDs of the 
using stations, is stored in data base 600. 

Also associated with each using station i is a 
public value. PVi. which is used by the feneratJpt§ 

30 station to distinguish data keys sent to ysing stss^ 
tion i via transport key KRij from data keys sent to 
using station j. also via transport key KPij. These 

public values PV1. PV2 PVn. indexed by the ID 

of the using station, are stored in data base 605. 

35 The generating station also has a central pro- 
cessing unit (CPU) which manages and controls 
the key generation process. The CPU detenmines 
the IDs of the using stations for which keys are to 
be generated, it detemnines the control values as- 

40 sociated with the keys for each using station, it 
accesses encrypted keys and public values from 
the data base, and it issues generate key com- 
mands to the cryptographic facility together with 
the appropriate control values, public values, and 

45 encrypted keys. 

The steps involved in generating a data key K 
for using stations i and j can be traced in Rgure 
21 . The CPU first determines that a data key is to 
be distributed to using stations i and j, i.e., with 

50 identifiers IDi and IDj, that the control values at 
using stations i and j are Ci and Cj. respectively, 
and tiiat the public values at using stations i and j 
are PVi and PVj, respectively. The identifiers IDi 
and IDj are used via line 660 to access the encryp- 

55 ted transport key eKM'(KRij) from data base 600. 
and tiiis encrypted key is read out on line 661 . The 
identifiers IDi and IDj are also used via line 662 to 
access tfie public values PVi and PVj from data 
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base 605. and these public values are read out on 
line 663. A "generate key" command on line 670 is 
input to command port 640 of the cryptographic 
facility 610. The encrypted transport key oKM' - 
(KRij), the public values PVi and PVj. and the 
control values Ci and Cj are presented as data 
inputs at input port 645. In response to the 
"generate key" command, the command decoder 
615 produces an active generate key function on 
line 625, which enables the generate key function 
630. Once enabled, the generate key function 630 
will accept inputs eKM'(KRij). PVj, Cj. PVi, and Ci 
from input port 645 and a random data key K from 
random key generator 620. 

The inputs are processed as follows. The value 
eKM'(KRij) is decrypted at 631 under master key 
variant KM'. KM' Is a dynamically generated vari- 
ant of the master key KM, where KM is stored in 
the key and parameter storage of the cryptographic 
facility 610. as shown in Rgure 2, and is available 
for use by the generate key function 630. The 
decrypted output KRij, the control value Ci, the 
public value PVi, and the random data key K are 
processed via combining function fc at 632 to pro- 
duce output f6(KRij.Ci.PVi.K). The decrypted output 
KRij. the control value Cj, the public value PVj, and 
the random data key K are processed- via combin- 
ing function fs at 633 to produce output f6- 
(KRij.Cj,PVj.K). The two values f6(KRij.Ci.PVi.K) 
and f6(KRij.Cj,PVj,K) are then presented as outputs 
at output port 650 and appear on lines 651 and 
652, respectively. 

The serial data represented by f6(KRij.CiPVi.K) 
on line 651 is loaded into a shift register and read 
out in parallel to an output buffer. The output buffer 
is also loaded with a header and synchronizing 
data. The data in the output buffer is then read out 
serially and sent to using station i. In like manner, 
the serial data represented by f6(KRij.Cj.PVj.K) on 
line 652 is loaded into a shift register and read out 
in parallel to the output buffer. The output buffer is 
also loaded witii a header and synchronizing data. 
The data in the output buffer is then read out 
serially and sent to using station j. 

Rgure 22 shows an example of an embodi- 
ment of function fs and a related function gs. By 
definition, these functions have tiiree inputs and 
one output In the case of fs, the inputs are KR, C 
and K. fs comprises first and second encryption 
facilities. In the first encryption facility, K is encryp- 
ted under C to produce eC(K). This is in turn 
encrypted under KR in the second encryption fa- 
cility to produce the eKR{eC{K)) = f5(KR.C.K). In 
the case of gs. the inputs are C. KR and f5(KR.C,K) 
= Y. gs comprises first and second decryption 
facilities. In the first decryption facility Y is decryp- 
ted under KR to produce dKR(Y). This is in turn 
decrypted under C in the second decryption facility 



to produce g5(KR.C,Y) = K. 

Rgure 23 shows an example of an embodi- 
ment of function fs and a related function gs. By 
definition, each has four inputs and one output The 

5 inputs to fs are KR, PV, C, and K. fs comprises 
first second and third encryption facilities. In the 
first encryption facility. K is encrypted under C to 
produce eC(K). This is in turn encrypted under PV 
in tiie second encryption facility to produce ePV- 

10 (eC(K)). Rnally. the output of the second encryp- 
tion facility is encrypted under KR in the tiiird 
encryption facility to produce f6{KR,C,PV.K) = Y. 
The inputs to gs are C. PV, KR. and Y. gs com- 
prises first second and third decryption facilities. In 

75 tiie first decryption facility. Y is decrypted under 
KR to produce dKR(Y). This is in turn decrypted 
under PV in the second decryption facility to pro- 
duce dPV(dKR(Y)). Rnally, tiie output of the sec- 
ond decryption facility ^s decrypted under C to 

20 produce the output g6(KR.C,PV.Y) = K. 

Referring now to Rgure 24, there is shown a 
third embodiment of a using station related to the 
third embodiment of the generating station shown 
in Rgure 20 wherein the received key K is recov- 

25 ered via function gs, which is related to function gs. 
In Rgure 24, tiiere is shown a data base 700 and a 
cryptographic facility 710 containing a command 
decoder 715, an "operation allowed" procedure 
720. an "abort operation" procedure 727, a key 

30 recovery function 730, a command port 740. an 
input port 745, an output port 750, and microcode 
780 to perform requested operation. Each using 
station i shares a unique secret transport key, KRi. 
with the generating station, which is used by the 

35 receiving station to receive encrypted data keys 
from tiie generating station. The transport keys 
shared with each generating station are encrypted 
under a prescribed variant of the master key of the 
receiving station. Km', and these encrypted trans- 

40 port keys are stored in data base 700. If tiiere were 
only one generating station and one key shared 
with that generating station, tiien there would be 
only one encrypted transport key in data base 700. 
■ The encrypted transport keys in data base 700 are 

45 indexed by an identifier, here refenred to as "ID of 
KR", which uniquely identifies each key in the list 
Thus, in Rgure 24, "ID of KR" refers to a particular 
KRi which using station i has shared with the 
generating station, and is the same KRi used by 

so the generating station to communicate witii using 
station i. 

The using station also has a central processing 
unit (CPU) which manages and controls the key 
recovery and key usage process. The CPU re- 
55 ceives a formatted message from the generating 
station, which contains the ID of tiie generating 
station, the IDi of the intended using station, the ID 
of KRi, a conti-ol value Ci, and a value f5(KRi,Ci,K). 
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The CPU parses messages received from the gen- 
erating station, extracts data parameters, accesses 
encrypted transport keys from its data base, and 
present key and data parameters to the crypto- 
graphic facility in conjunction with requested cryp- 
tographic operations. 

The steps involved in using a data key K at 
using station i can be traced in Rgure 24. The CPU 
first determines that a received data key K is to be 
used in a specified requested cryptographic opera- 
tion. Using the received value of "ID of KRi", the 
encrypted transport key eKM'(KRi) is accessed 
from the data base 700 via line 760, and the 
encrypted key is read out on line 765. A requested 
operation on line 770 is input to command port 740 
of the cryptographic facility 710. The encrypted 
transport key eKI\/l'(KRi) accessed from data base 
700. the control value Ci and the value f5(KRi,Ci.K) 
from the received message, and other inputs nec- 
essary to the requested cryptographic operation 
but not received in the same message from \he 
generating station, are presented as data inputs at 
input port 745. In response to ttie requested opera- 
tion, the command decoder 715 activates the 
"operation allowed" procedure 720. Once enabled, 
the "operation allowed" procedure 720 will accept 
inputs f5(KRi.Ci,K), Ci and eKM'(KRi) from input 
port 745. These inputs are temporarliy stored in tiie 
cryptographic facility 710. Using the just read value 
of Ci. the "operation allowed" procedure 720 deter- 
mines whether the usage of data key K in the 
requested operation is aiithorized or granted on the 
basis of data in the control value Ci. If so. tiien the 
"operation allowed" procedure 720 produces an 
activate key recovery function on line 725. which 
enables the key recovery function 730. If not, tiien 
tiie "operation allowed" procedure 720 produces 
an activate abort operation on line 726. Once en- 
abled, the abort operation 727 erases the inputs 
read from input port 745 and temporarily stored in 
the cryptographic facility 710 and enables another 
requested operation via command port 740. Once 
enabled, the key recovery function 730 will accept 
inputs f5(KRi.Ci.K). Ci and eKM'(KRi). which have 
been temporarily stored in the cryptographic fa- 
cility. 

The inputs are processed as follows. The value 
eKM'(KRi) is decrypted at 731 under master key 
variant KM'. KM' is a dynamically generated vari- 
ant of the master key. KM, where KM is stored in 
ttie key and parameter storage of the cryptographic 
facility 710. as shown in Rgure 2. and is available 
for use by the key recovery function 730. The 
decrypted output KRi and the input values of Ci 
and f5(KRi.Ci.K) are processed via combining func- 
tion gs at 732 to produce output data key K. The 
successful completion of the combining function gs 
also raises an activate operation on line 729, which 



enables the microcode that performs the requested 
operation. Once enabled, ttie microcode to perform 
requested operation 780 will accept input to re- 
quested operation on line 781 via iriput port 745 

5 and the so-processed data key K on line 782. 
which is input from combining function gs at 732. 
The requested operation is then performed at 780 
using tiiese key and data inputs. The output of tiie 
requested operation 780 is then presented at out- 

70 put port 750 and appears on line 783. 

Referring now to Figure 25, ttiere is shown a 
fourtii embodiment of a using station related to the 
fourth embodiment of tiie generating station shown 
in Rgure 21 wherein tiie received key K is recov- 

75 ered via function gs, which is related to function fe. 
In Rgure 25, tiiere is shown a data base 800 and a 
cryptographic facility 810 containing a command 
decoder 815, an "operation allowed" procedure 
820, an "abort operation" procedure 827, a key 

20 recovery function 830. a command port 840. an 
input port 845, an output port 850. and microcode 
870 to perform requested operation. Each pair of 
using stations i and j share a unique secret trans- 
port key. KRij, which is also shared witii ttie gen- 

25 erating station. The transport key KRij is used by 
using station 1 to recover or regenerate data keys 
from information received from a generating sta- 
tion, where the so-recovered or so-regenerated 
data keys will be used for communication with 

30 using station j. and vice versa. The transport keys 
shared in common with each other using station, 
and also with tiie generating station, are encrypted 
under a prescribed variant of tfie master key of ttie 
receiving station. KM . and these encrypted trans- 

35 port keys are stored in data base 800. The encryp- 
ted transport keys in data base 800 are indexed by 
an Identifier which uniquely relates tiie key to using 
station j. Thus, in Rgure 25, the term "ID of KRij" 
is the identifier of KRij. which is the transport key 

40 that using station I shares with using station j. 

The using station also has a central processing 
unit (CPU) which manages and conti-ols the key 
recovery and key usage process. The CPU re- 
ceives a fonmatted message from tiie generating 

45 station, which contains the ID of ttie generating 
station, ttie IDi of the intended using station, ttie ID 
of KRij, a control value Ci. and a value f6- 
(KRij.Ci.PVi,K). The CPU parses messages re- 
ceived from tiie generating station, extracts data 

50 parameters, accesses encrypted ti'ansport keys 
from its data base, and presents key and data 
parameters to the cryptographic facility in conjunc- 
tion with requested cryptographic operations. 

The steps involved in using a data key K at 

55 using station i can be traced in Rgure 25. The CPU 
first determines that a received data key K is to be 
used in a specific requested cryptographic opera- 
tion. Using the received value of "ID of KRij", ttie 
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encrypted transport key eKM' (KRij) is accessed 
from the data base 800 via line 860. and the 
encrypted key is read out on line 865. A requested 
operation on line 870 is input to command port 840 
of the cryptographic facility 810. The encrypted 
transport key eKM' (KRij) accessed from data base 
800. the value f6(KRij.Ci,PVi.K) and control value Ci 
extracted from the receh/ed message, and other 
inputs necessary to the requested cryptographic 
operation but not received in the same message 
from the generating station, are presented as data 
inputs at input port 845. In response to the re- 
quested operation, the command decoder 815 ac- 
tivates the "operation allowed" procedure 820. 
Once enabled, the "operation allowed" procedure 
820 will accept inputs f6(KRij.Ci,PVi.K). Ci, and 
eKM'(KRii) from input port 845. These inputs are 
temporarily stored in the cryptographic facility 810. 
Using the just read value of Ci. the "operation 
allowed" procedure 820 detenmlnes whether the 
usage of data key K in the requested operation is 
authorized or granted on the basis of data in the 
control value Ci. If so. then the "operation allowed" 
procedure 820 produces an activate key recovery 
function on line 825, which enables the key recov- 
ery function 830. If not, then the "operation al- 
lowed" procedure 820 produces an activate abort 
operation on line 826. Once enabled, the abort 
operation 827 erases the inputs read from input 
port 845 and temporarily stored in the crypto- 
graphic facility 810 and enables anottier requested 
operation via command port 840. Once enabled, 
the key recovery function 830 will accept inputs f6- 
(KRij.Ci.PVi.K). Ci and oKM' (KRij). which have 
been temporarily stored in cryptographic facility 
810, 

The inputs are processed as follows. The value 
eKM'(KRij) is decrypted* at 831 under master key 
variant KM'. KM' is a dynamically generated vari- 
ant of the master key. KM, where KM is stored in 
the key and parameter storage of the cryptographic 
facility 810. as shown in Rgure 2. and is available 
for use by tiie key recovery function 830. The 
decrypted output KRij, tiie input value Ci. tfie value 
PVi, and tiie input value f6(KRI.],Ci,PVi,K) are pro- 
cessed via combining function gs at 832 to pro- 
duce output data key K. The public value PVi 
associated witii using station i is stored in tiie key 
and parameter storage of the cryptographic facility 
810, as shown in Rgure 2, and is available for use 
by the key recovery function 830. The successful 
completion of the combining function gs also raises 
an activate operation on line 829, which enables 
the microcode tiiat performs tiie requested opera- 
tion. Once enabled, tiie microcode 880 to perform 
the requested operation will accept input to re- 
quested operation on line 881 via input port 845 
and tiie so-produced data key K on line 882, which 



is the output from combining function g& at 832. 
The requested operation is then performed at 880 
using these key and data inputs. The output of tiie 
requested operation 880 is tiien presented at out- 

5 put port 850 and appears on line 883. 

At a using station we have shown the recovery 
and controlled use of a single data key. However, 
the invention could be enlarged to provide for tiie 
simultaneous recovery and controlled use of any 

10 number of any type of keys at each using station. 
The public values PV1*..PVn could be the IDs or 
functions of tiie IDs of the respective using sta- 
tions, in which case the two data bases would be 
combined. The public values could also be public 

75 keys in an RSA algorithm type system or could 
simply be random numbers. The control value 
may. under certain protocols, reside at tiie using 
station so that it would not be necessary to trans- 
mit tiie control value to Uie designated using sta- 

20 tions. For example, a using station may send with 
its request for a cryptographic key from the gen- 
erating station an appropriate or specified control 
value. 

Rgure 26 illusti^ates but one possible conti-ol 
25 vector which may be used. The control vector may 
be viewed as a bit map of one dimension which 
represents the control value used in any of ttie 
several embodiments of the invention described 
above. From left to right in Rgure 26, tiie first and 
30 second bits may be ones or zeros to control whetii- 
er the cryptographic key can be used to encipher 
or decipher or both encipher and decipher data. 
Following tiie first two bits is an initial chaining 
value (ICV) which, under the DES algorithm, con- 
as trols the mode of block chaining used in tiie pro- 
cess. The values for the ICV are shown in Rgure 
26 and they are mutually exclusive. Next, are two 
bits which control whetiier tiie cryptographic key 
can be used for message autiientication code gen- 
40 oration (MACGEN) or verification (MACVER). Fol- 
lowing tiiat is an ICV for ttie message autiientica- 
tion code. Next are two bits which control the 
translation of cipher text to or from another form. 
This is followed by an ICV for the translation of 
45 cipher text. Rnally, tiiere are two bits which control 
the translation of a personal identification number 
(PIN). 

To summarize, the sender, by specifying how a 
particular key should be handled at tiie receiver. 
50 via tiie control block C, determines key manage- 
ment operations at the receiver. Consequently, ex- 
posures at tiie receiver are minimized, provided 
tiiat tiie integrity of tiie cryptographic operations 
are assured, e.g., via a cryptographic facility. 

55 
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Claims 

1 . A method of controiling the use of securely 
transmitted information in a network of stations in 
which each potentially cooperating station includes 
a cryptographic facility which securely stores a 
master key and in which, for each transmission 
between a pair of stations, a cryptographic key 
result is provided for each station of the pair by a 
generating station which is either one of the pair or 
a station external to the pair under a cryptographic 
protocol common to the network, the cryptographic 
key results for the transmission having a random 
component notionally particular to the transmission, 
a master key variant component characteristic of 
the protocol and a target station component either 
particular to the stations individually or as a pair, 
wherein, in response to a generating command 
invoked in the generating station for establishing a 
control use secure transmission tjetween a des- 
ignated pair of stations, the generating station gen- 
erates the cryptographic key result for each des- 
ignated station, accesses the control value com- 
mon to the system for the permitted operation for 
each of the stations for the particular transmission, 
combines the control value with the common key 
result or each individual key result and causes the 
appropriate combined key result to be established 
in each station of the pair of the transmission.* and 
wherein the cryptographic facility in each station is 
arranged, when an operating command is invoked 
to perform a designated operation with respect to 
such securely transmitted information, to automati- 
cally abort such operation unless it matches the 
control value. 

2. A method as claimed in claim 1, wherein 
either each station has both a key generation func- 
tion and a key usage function, the combined key 
result being generated by the key generation func- 
tion of one of a pair of stations and transmitted to 
its own key usage function and to the key usage 
function of the other station; or a server station for 
the network has a key generation function for the 
network, the remaining user stations having key 
usage functions and the combined key result is 
generated in the server station and is transmitted to 
the key usage functions of a designated pair of 
stations. 

3. A method as claimed in claim 2, wherein 
each station stores a data base including a plurality 
of encrypted secret transport keys unique to each 
using station and indexed by identifications of the 
using stations, the encrypted secret transport keys 
being encrypted under a variant of the master key: 

the server station or any such station in 
response to a generating command, generating a 
random key in its cryptographic facility as a cryp- 
tographic key; 



accessing the encrypted secret transport keys 
for the designated using stations using the iden- 
tification for the using stations; 

decrypting in the cryptographic facility of the 
5 generating station the accessed ^ret ^ transport 
keys for the designated using stations using the 
variant of the master key; 

combining in the cryptographic facility of the 
generating station the decrypted secret transport 
10 keys with generated cryptographic key to produce 
a combined function fi for each designed using 
station; 

reading the control value for tiie permitted 
operation for each designated using station; 
75 combining tiie generated cryptographic key 

with tiie control value for each designated using 
station to produce a combined function iz] and 

transmitting the combined functions U and h 
for each designated using station and the control 
20 value to tiie corresponding designated using sta- 
tion. 

4. A method as claimed in claim 3, wherein the 
combining operation to produce the combined 
function fi is performed by encrypting tiie gen- 

25 erated cryptographic key under \he decrypted se- 
cret transport keys for each designated using sta- 
tion, and wherein tiie combining operation to pro- 
duce tine combined function h is performed by first 
encrypting the control values for each designate 

30 using station under tiie generated cryptdgraphle 
key and ttien exclusive ORing the thus encrypted 
control values with the control values for each 
designated using station. 

5. A method as claimed in claim 3 pr claim 4, 
35 comprising at a designated using station in re- 
sponse to the requesting of a cryptographic opera- 
tion requiring tiie use of the cryptographic key 
generated by the generating station in combination 
with a control value; 

40 accessing the encrypted secret transport key 

and temporarily storing in the local cryptographic 
facility, such encrypted secret transport key to- 
gether with tiie control value and tiie combined 
functions fi and h, 

45 checking, in the local cryptographic facility, tiie 
control value to determine if the requested opera- 
tion is allowed by such control value; 

if tiie requested operation is allowed, decryp- 
ting tiie encrypted secret transport key using a 

50 variant of said master key, combining the decryp- 
ted secret transport key wifli the combined function 
fi using a combining function gi to recover tiie 
generated cryptographic key, combining tiie recov- 
ered cryptographic key with tiie control value to 

55 produce an authentication function fa. comparing 
tiie temporarily stored combined function fz, and if 
ttie stored combined function h and tiie authen- 
ticating function fa are equal, enabling the request- 
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ed cryptographic operation; otherwise. 

aborting the requested cryptographic operation 
and erasing the values temporarily stored in the 
cryptographic facility of the using station. 

6. A method as claimed in claim 5 wherein the 
combining function gi is an inverse function of the 
function fi . 

7. A method as claimed in claim 2 wherein 
each station stores, in a first data base, a plurality 
of encrypted secret transport keys unique to each 
pair of using stations in ttie network and indexed 
by identifications of pairs of using stations sharing 
a secret transport key. the encrypted secret trans- 
port keys being encrypted under a variant of the 
master key, and in a second data base, a plurality 
of nonsecret values unique to each using station in 
the network and indexed by identifications of such 
using stations; 

the server station or each such station, in 
response to a generating command, generating a 
random number in its cryptographic facility; 

accessing tiie encrypted secret transport keys 
shared by designated using stations using tiie 
identifications for the using station pairs sharing the 
encrypted secret transport keys; 

accessing the nonsecret values for the 
designated using stations using the identifications 
for the designated using stations; 

decrypting the accessed secret ti^sport keys 
using tiie variant of tiie master key; 

combining tine generated random number witii 
tiie decrypted secret transport keys to produce a 
combined function fa for each of the designated 
using stations; 

combining the decrypted secret transport key 
with said combined function fa to generate the 
cryptographic key; 

reading ttie control value for the permitted 
operation for each designated using station; 

for each designated using station, combining 
the generated cryptographic key witii the control 
value and tiie nonsecret value for tiie designated 
using station to produce a combined function f* for 
tiie designated using station; and 

transmitting tiie combined functions h and f* 
for each designated using station and the control 
value to the corresponding designated using sta- 
tion. 

8. A metfiod as claimed in claim 7. wherein ttie 
combining to produce the combined function fa is 
performed by encrypting the random number under 
tiie decrypted secret ti-ansport key for each des- 
ignated using station. 

9. A method as claimed in claim 7, or claim 8 
wherein the combining to produce the combined 
function f* is performed by first encrypting the 
control values under the generated cryptographic 



key and then exclusive ORing the thus encrypted 
control values with the nonsecret values for each 
designated using station. 

10. A metiiod as claimed in any of claims 7 to 
5 9 further comprising, at a designated using station 

in response to the requesting of a cryptographic 
operation requiring the use of the cryptographic 
key generated by the generating station in com- 
bination with a control value; 

10 accessing the encrypted secret transport key 

and temporarily storing in the local cryptographic 
facility the encrypted secret transport key togetiier 
with the control value and tiie combined functions 
fa and f^. transmitted from the generating station; 

75 checking the control value to determine if the 

requested operation is allowed by a such control 
value; 

if tiie requested operation is allowed, decryp- 
ting the stored encrypted secret transport key us- 

20 ing a variant of the master key, combining the 
decrypted secret transport key with the combined 
function fa using a combining function ga to re- 
cover the generated cryptographic key, combining 
the recovered cryptographic key with the control 

25 value and tiie nonsecret value for tiie designated 
using station to produce an authentication function 
fi, comparing the temporarily stored combined 
function f* with the authenticating function fi. and if 
such stored combined function fi and authenticat- 

30 ing function fi are equal, enabling the requested 
cryptographic operation; otherwise, 

aborting tiie requested cryptographic operation 
and erasing the temporarily stored values. 

1 1 . A meOiod as claimed in claim 10 wherein 
35 the combining to produce the combined function fa 

is performed by making the combined function fa 
equal to the random number and wherein the com- 
bining function ga involves encrypting the random 
number under tiie decrypted secret transport key 
40 and then exclusive ORing the encrypted random 
number with the random number, 

12. A method as claimed in the claim 10 
wherein the combining function ga is an inverse 
function of the function fa. 

45 13. A method as claimed in claim 2, wherein 

each station stores a data base including a plurality 
of encrypted secret transport keys unique to each 
of the using stations and indexed by identifications 
of the using stations, Uie encrypted secret transport 

50 keys being encrypted under a variant of the master 
key; 

tiie server station or each such station in 
response to a generating command, generating a 
random number in its cryptographic facility as a 
55 cryptographic key; 

accessing the encrypted secret transport keys 
for the designated using stations using the iden- 
tification for such using stations; 
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decrypting the accessed secret transport keys 
for the designated using stations using the variant 
of the master key; 

reading the control value for the permitted 
operation for each designated using station: 

combining the decrypted secret transport keys 
with the generated cryptographic key and the con- 
trol values for each designated using station to 
produce combined function fs for each designated 
using station; and 

transmitting the combined function fs for each 
designated using station arid the control value to 
the corresponding designated using station. 

14. A method as claimed in claim 13 wherein 
the combining operation to produce the combined 
function fs for each designated using station is 
performed by encrypting the generated crypto- 
graphic key under the control value for the cor- 
responding designated using station to produce a 
first encrypted value and then encrypting such first 
encrypted value under the decrypted secret trans- 
port key for the con^esponding designated using 
station. 

15. A method as claimed in claim 13 or claim 
14. further comprising at a designated using sta- 
tion, in response to the requesting of a crypto- 
graphic operation requiring the use of the cryp- 
tographic key generated by the generating station 
in combination with a control value; 

accessing the encrypted secret transport key 
and temporarily storing in the cryptographic facility 
of the designated using station the encrypted se- 
cret transport key together with the control value 
and the combined function fs; 

checking the control value to detemnine if the 
requested operation is allowed by said control val- 
ue; 

if the requested operation is allowed, decryp- 
ting the said encrypted secret transport key using a 
variant of the master key. combining the decrypted 
secret transport key with the combined function fs 
and the control value using a combining function gs 
to recover the generated cryptographic key, and 
enabling the requested cryptographic operation; 
otherwise, 

aborting the requested cryptographic operation 
and erasing the temporarily stored values. 

16. A method as claimed in claim 15 wherein 
the combining function gs is an inverse function of 
the function fs. 

17. A method as claimed in claim 2. wherein 
each station stores, in a first data base, a plurality 
of encrypted secret transport keys unique to each 
pair of using stations in the network and indexed 
by identifications of pairs of using stations sharing 
a secret transport key. the encrypted secret trans- 
port keys being encrypted under a variant of the 
master key. and 



in a second data base, a plurality of nonsecret 
values unique to each using station in the networi< 
and indexed by Identifications of the using stations; 
the server station or each such station, in 
5 response to a generating command, generating a 
random number in its cryptographic facility as a 
cryptographic key; 

accessing the encrypted secret transport keys 
shared by designated using stations using tiie 
70 identifications for the using station pairs sharing Vhe 
encrypted secret transport keys: 

accessing tiie nonsecret values for ttie 
designated using stations using the identifications 
for such designated using stations; 
75 decrypting tiie accessed secret transport keys 

using the variant of ttie master key: 

reading the control value for tfie permitted 
operation for each designated using station; 

combining the generated cryptographic key 
20 with the decrypted secret ti'ansport key. control 
value and nonsecret value for each designated 
using station to produce a combined function k for 
each designated using station; and 

ti-ansmitting the combined function h for each 
25 designated using station and the control value to 
tiie corresponding designated using station. 

18. A method as claimed in claim 17 wherein 
the combining operation to produce tiie combined 
function fs is performed by encrypting the cryp- 

30 tographic key under the control value for the d^- 
ignated using station to produce a first encrypted 
value, encrypting tiie first encrypted value under 
the nonsecret value for tiie designated using sta- 
tion to produce a second encrypted value, and 

35 encrypting the second encrypted value under tiie 
decrypted secret transport key for the designated 
using station. 

19. A metiiod as claimed in claim 17 or claim 
18. further comprising at a designated using station 

40 in response to tiie requesting of a cryptographic 
operation requiring tiie use of the cryptographic 
key generated by the generating station in com- 
bination with a control value; 

accessing the encrypted secret transport key 

45 and the nonsecret value and temporarily storing in 
tiie cryptographic facility of the designated using 
station tiie transmitted encrypted secret transport 
key together witii the contirol value and the com- 
bined function fs; 

50 checking the control value to determine if the 

requested operation is allowed by such control 
value; 

if tiie requested operation is allowed, decryp- 
ting tiie stored encrypted secret ti-ansport key us- 
55 ing a variant of the master key. combining tiie 
decrypted secret transport key witfi tiie control 
value, tiie nonsecret value and tiie combined func- 
tion fs using a combining function gs to recover the 
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generated cryptographic key, and enabling the re- 
quested cryptographic operation; otherwise, 

aborting the requested cryptographic operation 
and erasing the temporariiy stored values. 

20. A method as claimed in claim 18. wherein 5 
the combining function gs is an inverse function of 
the function of fs. 
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